Cryptography Reference
In-Depth Information
However, despite their theoretical security, elliptic curve cryptosystems are vul-
nerable to a variety of side-channel attacks (SCAs) that target the implementation of
the cryptosystem rather than its mathematical weaknesses and exploit the information
leaking during the proper or improper use of the cryptosystem. SCAs are generally
passive, i.e., the attacker observes a working cryptosystem without influencing its
operations. Examples of side-channel attacks include timing attacks, originally pre-
sented in [239], and power analysis attacks, introduced in [240].
Fault analysis attacks (FAAs), on the other hand, are active attacks that use faults
to influence the operation of the system. FAAs range in cost, and in complexity from
the simple to the highly sophisticated. In essence, fault attacks seek to expose the
secret information partially or fully using invalid outputs that result from natural
or deliberate faults. Most fault attacks on ECC attempt to move the computation
from the secure curve to another, probably weaker, curve. This can be achieved by
injecting faults into the curve parameters, or the base point, or during the scalar
multiplication. Examples of this class of fault attacks include those presented in [44,
90, 122, 143]. On the other hand, the attack presented in [54] targets the sign of an
intermediate point in the scalar multiplication, and results in a faulty output point that
still belongs to the original curve. Moreover, some attacks like the safe-error fault
attack presented in [427] exploit a countermeasure against simple timing analysis,
while [430] presents an attack that exploits validation tests as a single point of failure.
In this chapter, we discuss known fault analysis attacks on elliptic curve cryp-
tosystems. We start by giving some background on elliptic curves and their use in
cryptography in Sect.
9.2
, along with a brief overview of fault injection methods and
general techniques to prevent and detect faults. Section
9.3
follows with a survey
of the different classes of fault attacks that attempt to move the computation to an
invalid elliptic curve. Section
9.4
discusses the inherently different sign change fault
attack, while Sect.
9.5
addresses attacks that target specific parts of the implemen-
tation, namely, validation and dummy operations. Section
9.6
gives a summary of
known countermeasures.
9.2 Background
This section aims to provide a brief overview of the mathematical concepts often
referred to throughout this chapter. Reference topics in abstract algebra, like [309],
and in cryptography, like [98, 176], can be consulted for a more extensive treatment
of these concepts. Moreover, we briefly discuss some of the known methods for fault
injection, which are covered in more details in Sects.
16.2
and
17.3
.
